iPhone security may be compromised by issues in Safari web browser and email client

Brian Chess, Chief Scientist at Fortify Software, has written an interesting article focusing on some possible security vulnerabilities in the Safari browser and email client on the iPhone, which could lead to a malicious attack.

His well written article highlights these main vulnerabilities:

Email client doesn't display full URL

The built-in Mail application doesn't display the full URL that you're going to visit when you click on a link embedded in an email, so it would be possible for a phisher to send out spam that directs a user to a malicious, fake web site.

Safari browser only displays first part of URL

Only the first twenty or so characters of the URL are displayed, so it's easy to hide the true URL, which is often quite easy to spot as being fake.

JavaScript can be used to remove the location bar

It's possible for a piece of code to be used to scroll the location bar, where the URL of the web page is displayed, out of sight.

Telephone numbers can be embedded in web pages

Although the user is prompted, if they click on such a link, whether they actually want to dial the number, it's still possible for scammers to try to sneak premium rate phone numbers into web pages, in the hope that some people will inadvertently call the number.

Additionally, a phisher could embed a fake telephone number for the user's bank, and then have them confirm their details by voice. Scary, if fallen for.

What's coming up: a prediction

Brian concludes his article with a look at two things he believes will happen in the coming year:

1. We'll learn more about the iPhone

"We'll learn about more cute tricks that web applications can use to look more like native iPhone applications and to interface with the iPhone and allow access to things like contacts, photos, and maybe even the phone's physical location. All of these features will expand the horizons of enterprising attackers."

2. All of the other handset makers in the world will begin to deliver their response to the iPhone.

"At that point, they will all have been working around the clock in panic mode for the better part of a year, and the devices will contain a treasure trove of security vulnerabilities that make the iPhone look like Fort Knox. After all, Apple got plenty of things right: at least you have to confirm before the phone dials."